An improved authentication scheme for BLE devices with no I/O capabilities

Bluetooth Low Energy (BLE) devices have become very popular because of their Low energy consumption and prolonged battery life. They are being used in smart wearable devices, home automation systems, beacons, and many more areas. BLE uses pairing mechanisms to achieve a level of peer entity authentication as well as encryption. Although there are a set of pairing mechanisms available, BLE devices with no keyboard or display mechanism (and hence using the Just Works pairing) are still vulnerable. In this paper, we propose and implement a light-weight digital certificate-based authentication mechanism for the BLE devices using the Just Works model. The proposed model is an add-on to the existing pairing mechanism and can be easily incorporated into the existing BLE stack. To counter the Man-in-The-Middle attack scenario in Just Works pairing (device spoofing), our proposed model allows the client and peripheral to use the popular Public Key Infrastructure (PKI) to establish peer entity authentication and a secure cryptographic tunnel for communication. We have also developed a light-weight BLE profiled digital certificate containing the bare minimum fields required for resource-constrained devices, which significantly reduces the memory (about 90% reduction) and energy consumption. We have experimentally evaluated the device's energy consumption and execution time using the proposed pairing mechanism to demonstrate that the model can be easily deployed with fewer changes to the power requirements of the chips. The model has been formally verified using an automatic verification tool for protocol testing.